Who we are

feder8d (“we”, “us”) is the controller for the personal information collected via our public website at feder8d.ai and the processor for personal information our customers ingest into the feder8d platform on behalf of their end users.

Information Officer (POPIA): Adrian de Vries. Contact: legal@feder8d.ai.

EU Representative (GDPR Art. 27): engaged within 30 days of first EU customer; address available on request.

Scope of this policy

• Website visitors — this policy applies in full.
• Customers — this policy plus the Data Processing Agreement at /legal/dpa applies.
• End users of customer-built AI products — the customer is the controller for your personal information; refer to their privacy policy. feder8d is their processor under contract.

Information we collect

From website visitors

• Email address (if you contact us or fill out a form).
• Standard server logs (IP, user agent, timestamp), retained for 24 hours by Cloudflare.
• We do not set tracking cookies. We do not use third-party analytics that fingerprint visitors.

From customers

• Account information: email, workspace name, billing address. Billing card data is processed by Dodo Payments and never touches feder8d systems.
• Usage telemetry: token counts, audit categories, latency metrics. No prompt or completion content.

From end users of customer products

• Whatever the customer ingests into their workspace.
• We process this on the customer’s instructions only.

Where your data lives

• Tenant data is resident in af-south-1 (POPI clean) for customers on our SaaS.
• Inference processing happens in eu-central-1 (GDPR sub-processor disclosure applies). Prompts cross the border in encrypted form via Linkerd mTLS but are not logged at the model plane.
• Backups are encrypted with per-tenant KMS keys and remain in af-south-1.

Sub-processors

Public list at /legal/sub-processors. We give 30 days’ notice before adding any sub-processor.

Your rights

Under GDPR (EU) and POPIA (South Africa), you have the right to:

• Request access to your personal information (DSAR).
• Request rectification of inaccurate information.
• Request erasure (“right to be forgotten”).
• Request restriction of processing.
• Request portability of your data.
• Object to processing for direct marketing.
• Lodge a complaint with a supervisory authority (Information Regulator SA; your local EU DPA).

Customers can exercise these rights through the Tenant Console (Admin → Privacy). End users should contact the customer who controls their data. For website visitors, email legal@feder8d.ai.

DSAR endpoints

The Tenant API exposes machine-readable endpoints for customers to fulfil their controller obligations:

• POST /admin/users/{id}/export — returns a portable archive.
• POST /admin/users/{id}/erase — deletes all data for a data subject.
• GET /admin/users/{id}/data-inventory — lists what’s stored, where, and why.

We respond to all DSARs within 30 days, extendable once by 30 days under GDPR Art. 12(3) for complex requests.

Retention

• Account data: lifetime of the contract plus 90 days, then deletion.
• Audit logs: 12 months at SaaS launch.
• Suspended accounts: 30 days frozen, then purged.
• Special-PI collections: deleted immediately on cancellation (no retention period).

Breach notification

We notify affected customers within 72 hours of becoming aware of a personal data breach, per GDPR Art. 33 and POPIA Sec 22. The audit pipeline triggers our breach runbook automatically on isolation violations.

Children

feder8d is not directed at children under 16. We do not knowingly collect their data.

Changes to this policy

Material changes are announced with 30 days’ notice via email and on this page. Last updated 2026-06-01T00:00:00.000Z.

Contact

Privacy questions: legal@feder8d.ai

Security incidents: security@feder8d.ai